Merge branch 'id-token-decoder' into dev

Author: rayluo

msal/oauth2cli/__init__.py

@@ -1,5 +1,5 @@
-__version__ = "0.1.0"
+__version__ = "0.2.0"
 
-from .oauth2 import Client
+from .oidc import Client
 from .assertion import JwtSigner
 

msal/oauth2cli/oidc.py

@@ -0,0 +1,70 @@
+import json
+import base64
+import time
+
+from . import oauth2
+
+
+def base64decode(raw):
+    """A helper can handle a padding-less raw input"""
+    raw += '=' * (-len(raw) % 4)  # https://stackoverflow.com/a/32517907/728675
+    return base64.b64decode(raw).decode("utf-8")
+
+
+def decode_id_token(id_token, client_id=None, issuer=None, nonce=None, now=None):
+    """Decodes and validates an id_token and returns its claims as a dictionary.
+
+    ID token claims would at least contain: "iss", "sub", "aud", "exp", "iat",
+    per `specs <https://openid.net/specs/openid-connect-core-1_0.html#IDToken>`_
+    and it may contain other optional content such as "preferred_username",
+    `maybe more <https://openid.net/specs/openid-connect-core-1_0.html#Claims>`_
+    """
+    decoded = json.loads(base64decode(id_token.split('.')[1]))
+    err = None  # https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
+    if issuer and issuer != decoded["iss"]:
+        # https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
+        err = ('2. The Issuer Identifier for the OpenID Provider, "%s", '
+            "(which is typically obtained during Discovery), "
+            "MUST exactly match the value of the iss (issuer) Claim.") % issuer
+    if client_id:
+        valid_aud = client_id in decoded["aud"] if isinstance(
+            decoded["aud"], list) else client_id == decoded["aud"]
+        if not valid_aud:
+            err = "3. The aud (audience) Claim must contain this client's client_id."
+    # Per specs:
+    # 6. If the ID Token is received via direct communication between
+    # the Client and the Token Endpoint (which it is in this flow),
+    # the TLS server validation MAY be used to validate the issuer
+    # in place of checking the token signature.
+    if (now or time.time()) > decoded["exp"]:
+        err = "9. The current time MUST be before the time represented by the exp Claim."
+    if nonce and nonce != decoded.get("nonce"):
+        err = ("11. Nonce must be the same value "
+            "as the one that was sent in the Authentication Request")
+    if err:
+        raise RuntimeError("%s id_token was: %s" % (
+            err, json.dumps(decoded, indent=2)))
+    return decoded
+
+
+class Client(oauth2.Client):
+    """OpenID Connect is a layer on top of the OAuth2.
+
+    See its specs at https://openid.net/connect/
+    """
+
+    def decode_id_token(self, id_token, nonce=None):
+        """See :func:`~decode_id_token`."""
+        return decode_id_token(
+            id_token, nonce=nonce,
+            client_id=self.client_id, issuer=self.configuration.get("issuer"))
+
+    def _obtain_token(self, grant_type, *args, **kwargs):
+        """The result will also contain one more key "id_token_claims",
+        whose value will be a dictionary returned by :func:`~decode_id_token`.
+        """
+        ret = super(Client, self)._obtain_token(grant_type, *args, **kwargs)
+        if "id_token" in ret:
+            ret["id_token_claims"] = self.decode_id_token(ret["id_token"])
+        return ret
+

msal/token_cache.py

@@ -2,20 +2,16 @@
 import threading
 import time
 import logging
-import base64
 
 from .authority import canonicalize
+from .oauth2cli.oidc import base64decode, decode_id_token
 
 
 logger = logging.getLogger(__name__)
 
 def is_subdict_of(small, big):
     return dict(big, **small) == big
 
-def base64decode(raw):  # This can handle a padding-less raw input
-    raw += '=' * (-len(raw) % 4)  # https://stackoverflow.com/a/32517907/728675
-    return base64.b64decode(raw).decode("utf-8")
-
 
 class TokenCache(object):
     """This is considered as a base class containing minimal cache behavior.
@@ -112,8 +108,8 @@ def add(self, event, now=None):
                     }
 
             if client_info:
-                decoded_id_token = json.loads(
-                    base64decode(id_token.split('.')[1])) if id_token else {}
+                decoded_id_token = decode_id_token(
+                    id_token, client_id=event["client_id"]) if id_token else {}
                 key = self._build_account_key(home_account_id, environment, realm)
                 self._cache.setdefault(self.CredentialType.ACCOUNT, {})[key] = {
                     "home_account_id": home_account_id,

tests/test_application.py

@@ -181,7 +181,7 @@ def setUp(self):
             "token_endpoint": "{}/oauth2/v2.0/token".format(self.authority_url),
             "response": TokenCacheTestCase.build_response(
                 access_token="Siblings won't share AT. test_remove_account() will.",
-                id_token=TokenCacheTestCase.build_id_token(),
+                id_token=TokenCacheTestCase.build_id_token(aud=self.preexisting_family_app_id),
                 uid=self.uid, utid=self.utid, refresh_token=self.frt, foci="1"),
             })  # The add(...) helper populates correct home_account_id for future searching
 

tests/test_token_cache.py

@@ -1,6 +1,7 @@
 import logging
 import base64
 import json
+import time
 
 from msal.token_cache import *
 from tests import unittest
@@ -13,12 +14,17 @@
 class TokenCacheTestCase(unittest.TestCase):
 
     @staticmethod
-    def build_id_token(sub="sub", oid="oid", preferred_username="me", **kwargs):
+    def build_id_token(
+            iss="issuer", sub="subject", aud="my_client_id", exp=None, iat=None,
+            preferred_username="me", **claims):
         return "header.%s.signature" % base64.b64encode(json.dumps(dict({
+            "iss": iss,
             "sub": sub,
-            "oid": oid,
+            "aud": aud,
+            "exp": exp or (time.time() + 100),
+            "iat": iat or time.time(),
             "preferred_username": preferred_username,
-            }, **kwargs)).encode()).decode('utf-8')
+            }, **claims)).encode()).decode('utf-8')
 
     @staticmethod
     def build_response(  # simulate a response from AAD
@@ -54,9 +60,11 @@ def setUp(self):
         self.cache = TokenCache()
 
     def testAdd(self):
-        id_token = self.build_id_token(oid="object1234", preferred_username="John Doe")
+        client_id = "my_client_id"
+        id_token = self.build_id_token(
+            oid="object1234", preferred_username="John Doe", aud=client_id)
         self.cache.add({
-            "client_id": "my_client_id",
+            "client_id": client_id,
             "scope": ["s2", "s1", "s3"],  # Not in particular order
             "token_endpoint": "https://login.example.com/contoso/v2/token",
             "response": self.build_response(